Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?
There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company...
Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/104.156.155.0
OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/entity/AIRLL
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, michael@linuxmagic.com wrote:
There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company...
Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...
They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/104.156.155.0
OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, michael@linuxmagic.com wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an
eye
out for traffic from this company...
Might want to make up your own mind, or maybe someone has more
information, but enough of a red flag, that thought it warranted
posting
on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are
attempting
to break, but using a variety of SSL/TLS methods and connections...They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255
CIDR: 104.156.155.0/24
NetName: ACDRESEARCH
NetHandle: NET-104-156-155-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Academy of Internet Research Limited Liability
Company
(AIRLL)
RegDate: 2022-01-07
Updated: 2022-01-07
Ref: https://rdap.arin.net/registry/ip/104.156.155.0
OrgName: Academy of Internet Research Limited Liability
Company
OrgId: AIRLL
Address: #A1- 5436
Address: 1110 Nuuanu Ave
City: Honolulu
StateProv: HI
PostalCode: 96817
Country: US
RegDate: 2021-10-15
Updated: 2022-11-06
Ref: https://rdap.arin.net/registry/entity/AIRLL
--See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
Good day to all .....
Just adding to the conversation with how I had to deal with this years ago.
Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this.
That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc)
Along with the above dovecot logging is verbose (dovecot already does all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system based on the syslogging in real time.
For Example :
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
basically the ip address block was found in my firewall so something, someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the asterisk is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in real time.
Running FreeBSD I use PF and asterisk is linux based so i use the iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything attached to the internet) really need to run some sort of automated ip firewall when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, michael@linuxmagic.com wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21 Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company... Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list. Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information? NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/104.156.155.0 OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/entity/AIRLL --See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all .....
Just adding to the conversation with how I had to deal with this years ago.
Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this.
That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc)
Along with the above dovecot logging is verbose (dovecot already does all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system based on the syslogging in real time.
For Example :
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
basically the ip address block was found in my firewall so something, someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the asterisk is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in real time.
Running FreeBSD I use PF and asterisk is linux based so i use the iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything attached to the internet) really need to run some sort of automated ip firewall when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, michael@linuxmagic.com wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company...
Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...
They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/104.156.155.0
OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all .....
Just adding to the conversation with how I had to deal with this
years ago.
Basically hacks to any server are an issue today but it is cat &
mouse
trying to track all of this.
That being said using the reported ip address below, I patched
postfix
to log the ip address in one syslog pass (to id the sasl user account
+
ip etc)
Along with the above dovecot logging is verbose (dovecot already does
all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system
based
on the syslogging in real time.
For Example :
__________________________________________________________________________
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4
NS Lookup (Forward) : 104.156.155.21
NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for
104.156.155.21
[D] {Asterisk}
Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
__________________________________________________________________________
basically the ip address block was found in my firewall so something,
someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the
asterisk
is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in
real
time.
Running FreeBSD I use PF and asterisk is linux based so i use the
iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains
they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything
attached
to the internet) really need to run some sort of automated ip
firewall
when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors,
<michael@linuxmagic.com> wrote:
There is a network claiming to be a security company,
however the
activity appears to be a little more malicious, and
appears to be
attempting buffer overflows against POP-SSL
services.. (and other
attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might
want to keep an
eye
out for traffic from this company...
Might want to make up your own mind, or maybe someone
has more
information, but enough of a red flag, that thought
it warranted
posting
on the list.
Not sure yet if it is Dovecot, or the SSL libraries
they are
attempting
to break, but using a variety of SSL/TLS methods and
connections...
They are not interested in dovecot per se. They scan for
TLS vulnerabilities,
mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255
CIDR: 104.156.155.0/24
NetName: ACDRESEARCH
NetHandle: NET-104-156-155-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Academy of Internet Research Limited
Liability
Company
(AIRLL)
RegDate: 2022-01-07
Updated: 2022-01-07
Ref: https://rdap.arin.net/registry/ip/
104.156.155.0
OrgName: Academy of Internet Research Limited
Liability
Company
OrgId: AIRLL
Address: #A1- 5436
Address: 1110 Nuuanu Ave
City: Honolulu
StateProv: HI
PostalCode: 96817
Country: US
RegDate: 2021-10-15
Updated: 2022-11-06
Ref: https://rdap.arin.net/registry/
entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All
of them allegedly
reputable, all of them supposedly with opt-out mechanisms,
and all of them are
blocked for not asking permission.
Ymmv.
Regards
Simon
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.orgOn 11/16/23 9:05 AM, Nick Lockheart wrote:
Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all ..... Just adding to the conversation with how I had to deal with this years ago. Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this. That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc) Along with the above dovecot logging is verbose (dovecot already does all access in one line - ie ip address, username (email address) etc) combining the two I run my own ip address firewall tracking system based on the syslogging in real time. For Example : __________________________________________________________________________ # ipinfo 104.156.155.21 IP Status for : 104.156.155.21 IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd Ip Location Info for : 104.156.155.21 No Ip Information Found (ie ip location lookup failed / does not exist for this ip ?) __________________________________________________________________________ basically the ip address block was found in my firewall so something, someone etc has tried to hack one of my servers in the case of scom.ca i run an asterisk server and since the asterisk is noted someone tried hacking that one as well. Basically i run a database that tracks and updates all firewall in real time. Running FreeBSD I use PF and asterisk is linux based so i use the iptables and update every 10 minutes. Only time now a days I get involved if a customer calls and complains they are not getting emails etc ... That happens a few times a year. Again just an FYI This reply was more to indicate all email servers (and anything attached to the internet) really need to run some sort of automated ip firewall when username password hacks occur, no reverse ip address etc etc etc Food for thought. Have A Happy Thursday !!! Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.) Scom.ca Internet Services <http://www.scom.ca> 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3 Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca On 11/15/2023 5:53 PM, Simon B wrote: On Wed, 15 Nov 2023, 23:25 Michael Peddemors, <michael@linuxmagic.com> wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks). https://www.abuseipdb.com/check/104.156.155.21 Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company... Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list. Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections... They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly. Anyone with more information? NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/ 104.156.155.0 OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/ entity/AIRLL -- See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission. Ymmv. Regards Simon _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
i have some rather old IpToCountry.csv files from a now defunct site. it mapped IP allocations to country and included the RIR, date assigned, etc. this data is a few years old as the site was taken down and there is probably a lot of new or updated info. a GeoDB subscription may be useful in the case you are looking at.
brendan
Brendan Kearney wrote:
i have some rather old IpToCountry.csv files from a now defunct site. it mapped IP allocations to country and included the RIR, date assigned, etc. this data is a few years old as the site was taken down and there is probably a lot of new or updated info. a GeoDB subscription may be useful in the case you are looking at.
brendan
FWIW, if you look at https://github.com/milter-regex/milter-regex/blob/main/milter-regex-ip-prep.... it says you can "Download IP address allocation lists from the RIR ( Regional Internet Registry )
ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest ftp://ftp.apnic.net/pub/stats/apnic/delegated-apnic-latest ftp://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest"
Ok a few things about IP blocks
If they are portable they can move from country to country ??
without any real notice.
the ip that triggered all this says it is allocated from NL (Neatherlands) but physicaly exists in Hawii ?
No list will ever be 100% acurate
I did find this link that displays by country but then you have to click the country understanding that some sub nets are split out by class "A" / "B" & "C"
A whole class "A" for example can be split into many subclasses thus point difference ranges to different countries.
https://www.nirsoft.net/countryip/
maybe write a python program to grab and make a table of ip addresses ?
it has a link to download a csv so some kind of loop striping out the country links would probably be ok and then download the csv file and create a full csv file.
then use that for your firewall keeping in mind it needs to be updated regularly.
I did look around as arin net is responsible for all of this but could not find a list there either.
https://www.arin.net/reference/
Airn Net is mainly responsible for allocating blocks but not really responsible for where they might get used.
same with other whois databases around the globe.
also note IPV6 is also out there now and adds a whole new layer to all of this.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/16/2023 9:31 AM, Brendan Kearney wrote:
On 11/16/23 9:05 AM, Nick Lockheart wrote:
Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all .....
Just adding to the conversation with how I had to deal with this years ago.
Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this.
That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc)
Along with the above dovecot logging is verbose (dovecot already does
all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system based on the syslogging in real time.
For Example :
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
basically the ip address block was found in my firewall so something,
someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the asterisk is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in real time.
Running FreeBSD I use PF and asterisk is linux based so i use the iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains
they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything attached to the internet) really need to run some sort of automated ip firewall when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, michael@linuxmagic.com wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company...
Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...
They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/ 104.156.155.0
OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/ entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
_______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
i have some rather old IpToCountry.csv files from a now defunct site. it mapped IP allocations to country and included the RIR, date assigned, etc. this data is a few years old as the site was taken down and there is probably a lot of new or updated info. a GeoDB subscription may be useful in the case you are looking at.
brendan
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 11/16/23 10:56 AM, Paul Kudla wrote:
Ok a few things about IP blocks
If they are portable they can move from country to country ??
without any real notice.
the ip that triggered all this says it is allocated from NL (Neatherlands) but physicaly exists in Hawii ?
No list will ever be 100% acurate
I did find this link that displays by country but then you have to click the country understanding that some sub nets are split out by class "A" / "B" & "C"
A whole class "A" for example can be split into many subclasses thus point difference ranges to different countries.
https://www.nirsoft.net/countryip/
maybe write a python program to grab and make a table of ip addresses ?
it has a link to download a csv so some kind of loop striping out the country links would probably be ok and then download the csv file and create a full csv file.
then use that for your firewall keeping in mind it needs to be updated regularly.
I did look around as arin net is responsible for all of this but could not find a list there either.
https://www.arin.net/reference/
Airn Net is mainly responsible for allocating blocks but not really responsible for where they might get used.
same with other whois databases around the globe.
also note IPV6 is also out there now and adds a whole new layer to all of this.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/16/2023 9:31 AM, Brendan Kearney wrote:
On 11/16/23 9:05 AM, Nick Lockheart wrote:
Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all .....
Just adding to the conversation with how I had to deal with this years ago.
Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this.
That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc)
Along with the above dovecot logging is verbose (dovecot already does
all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system based on the syslogging in real time.
For Example :
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
basically the ip address block was found in my firewall so something,
someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the asterisk is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in real time.
Running FreeBSD I use PF and asterisk is linux based so i use the iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains
they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything attached to the internet) really need to run some sort of automated ip firewall when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, michael@linuxmagic.com wrote: There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks).
https://www.abuseipdb.com/check/104.156.155.21
Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company...
Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list.
Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...
They are not interested in dovecot per se. They scan for TLS vulnerabilities, mostly.
Anyone with more information?
NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/ 104.156.155.0
OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/ entity/AIRLL
--
See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
_______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
i have some rather old IpToCountry.csv files from a now defunct site. it mapped IP allocations to country and included the RIR, date assigned, etc. this data is a few years old as the site was taken down and there is probably a lot of new or updated info. a GeoDB subscription may be useful in the case you are looking at.
brendan
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
the info i have is the ARIN, APNIC, etc registry (RIR) info about where the allocation was made, but does not go to the next layer about who the allocation was made to.
dn: ipNetworkNumber=104.0.0.0,c=US,ou=GeoLocation,dc=bpk2,dc=com description: /12 ipnetmasknumber: 255.240.0.0 ipnetworknumber: 104.0.0.0 l: United States objectclass: ipNetwork objectclass: top
i am not sure how often things change in terms of allocations moving from geo location, but i could see that who the allocations are made to could move more frequently.
the csv i downloaded had the CIDR notation in the allocation. example:
"0","16777215","iana","410227200","ZZ","ZZZ","Reserved"
through a bash script, i converted that to ldif:
dn: ipNetworkNumber=0.0.0.0,c=ZZ,ou=GeoLocation,dc=bpk2,dc=com ipnetworknumber: 0.0.0.0 ipnetmasknumber: 255.0.0.0 l: Reserved description: /8 objectclass: ipnetwork objectclass: top
and added it to my DIT for reference. if i could use the info for geofencing in my firewall, i would but the integration between tools does not exit. would be nice.
arin in only on RIR, and has allocated 57,609 of the total 162,988 records in the csv i have. having the data from the other RIRs helps with a more holistic view of all allocations. i do have a IPv6 version of the csv, but have not parsed that yet. some questions about how i would store the IPs come to mind, and never got answered.
brendan
On 11/16/23 10:56 AM, Paul Kudla wrote:
Ok a few things about IP blocks
If they are portable they can move from country to country ??
without any real notice.
the ip that triggered all this says it is allocated from NL
(Neatherlands) but physicaly exists in Hawii ?
No list will ever be 100% acurate
I did find this link that displays by country but then you have to
click the country understanding that some sub nets are split out by
class "A" / "B" & "C"
A whole class "A" for example can be split into many subclasses thus
point difference ranges to different countries.
https://www.nirsoft.net/countryip/
maybe write a python program to grab and make a table of ip addresses
?
it has a link to download a csv so some kind of loop striping out the
country links would probably be ok and then download the csv file and
create a full csv file.
then use that for your firewall keeping in mind it needs to be
updated regularly.
I did look around as arin net is responsible for all of this but
could not find a list there either.
https://www.arin.net/reference/
Airn Net is mainly responsible for allocating blocks but not really
responsible for where they might get used.
same with other whois databases around the globe.
also note IPV6 is also out there now and adds a whole new layer to
all of this.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca
On 11/16/2023 9:31 AM, Brendan Kearney wrote:
On 11/16/23 9:05 AM, Nick Lockheart wrote:
Are there publicly available lists of IP ranges
by region?
There's no reason for any IP outside of North
America to be contacting Postfix
on Submission (587) or IMAP, since these are
employee only services.
If not for mobile phones, we could really close
it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla
wrote:
Good day to all .....
Just adding to the conversation with how I
had to deal with this
years ago.
Basically hacks to any server are an issue
today but it is cat &
mouse
trying to track all of this.
That being said using the reported ip
address below, I patched
postfix
to log the ip address in one syslog pass
(to id the sasl user account
+
ip etc)
Along with the above dovecot logging is
verbose (dovecot already does
all access in one line - ie ip address,
username (email address) etc)
combining the two I run my own ip address
firewall tracking system
based
on the syslogging in real time.
For Example :
__________________________________________________________________________
# ipinfo 104.156.155.21
IP Status for :
104.156.155.21
IP Status : IPv4
NS Lookup (Forward) :
104.156.155.21
NS Lookup (Reverse) : None
IP Blacklisted Status : Found
104.156.155. for
104.156.155.21
[D] {Asterisk}
Last Program : sshd
Ip Location Info for :
104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not
exist for this ip ?)
__________________________________________________________________________
basically the ip address block was found in
my firewall so something,
someone etc has tried to hack one of my
servers
in the case of scom.ca i run an asterisk
server and since the
asterisk
is noted someone tried hacking that one as
well.
Basically i run a database that tracks and
updates all firewall in
real
time.
Running FreeBSD I use PF and asterisk is
linux based so i use the
iptables and update every 10 minutes.
Only time now a days I get involved if a
customer calls and complains
they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email
servers (and anything
attached
to the internet) really need to run some
sort of automated ip
firewall
when username password hacks occur, no
reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA
Internet Services Inc.)
Scom.ca Internet Services <http://
www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael
Peddemors,
<michael@linuxmagic.com> wrote:
There is a network claiming to
be a security company,
however the
activity appears to be a little
more malicious, and
appears to be
attempting buffer overflows
against POP-SSL
services.. (and other
attacks).
https://www.abuseipdb.com/check/
104.156.155.21
Just thought it would be worth
mentioning, you might
want to keep an
eye
out for traffic from this
company...
Might want to make up your own
mind, or maybe someone
has more
information, but enough of a red
flag, that thought
it warranted
posting
on the list.
Not sure yet if it is Dovecot,
or the SSL libraries
they are
attempting
to break, but using a variety of
SSL/TLS methods and
connections...
They are not interested in dovecot per
se. They scan for
TLS vulnerabilities,
mostly.
Anyone with more information?
NetRange: 104.156.155.0 -
104.156.155.255
CIDR: 104.156.155.0/24
NetName: ACDRESEARCH
NetHandle: NET-104-156-155-
0-1
Parent: NET104 (NET-104-
0-0-0-0)
NetType: Direct
Allocation
OriginAS:
Organization: Academy of
Internet Research Limited
Liability
Company
(AIRLL)
RegDate: 2022-01-07
Updated: 2022-01-07
Ref: https://
rdap.arin.net/registry/ip/
104.156.155.0
OrgName: Academy of
Internet Research Limited
Liability
Company
OrgId: AIRLL
Address: #A1- 5436
Address: 1110 Nuuanu Ave
City: Honolulu
StateProv: HI
PostalCode: 96817
Country: US
RegDate: 2021-10-15
Updated: 2022-11-06
Ref: https://
rdap.arin.net/registry/
entity/AIRLL
--
See also shadowserver.org, census.io,
stretchoid, etc. All
of them allegedly
reputable, all of them supposedly with
opt-out mechanisms,
and all of them are
blocked for not asking permission.
Ymmv.
Regards
Simon
_______________________________________________
dovecot mailing list -
- dovecot@dovecot.org
To unsubscribe send an email to
dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-
leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-
leave@dovecot.org
i have some rather old IpToCountry.csv files from a now
defunct site. it mapped IP allocations to country and
included the RIR, date assigned, etc. this data is a few
years old as the site was taken down and there is probably
a lot of new or updated info. a GeoDB subscription may be
useful in the case you are looking at.
brendan
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.orgthe info i have is the ARIN, APNIC, etc registry (RIR) info about where the allocation was made, but does not go to the next layer about who the allocation was made to.
dn: ipNetworkNumber=104.0.0.0,c=US,ou=GeoLocation,dc=bpk2,dc=com description: /12 ipnetmasknumber: 255.240.0.0 ipnetworknumber: 104.0.0.0 l: United States objectclass: ipNetwork objectclass: top
i am not sure how often things change in terms of allocations moving from geo location, but i could see that who the allocations are made to could move more frequently.
the csv i downloaded had the CIDR notation in the allocation. example:
"0","16777215","iana","410227200","ZZ","ZZZ","Reserved"
through a bash script, i converted that to ldif:
dn: ipNetworkNumber=0.0.0.0,c=ZZ,ou=GeoLocation,dc=bpk2,dc=com ipnetworknumber: 0.0.0.0 ipnetmasknumber: 255.0.0.0 l: Reserved description: /8 objectclass: ipnetwork objectclass: top
and added it to my DIT for reference. if i could use the info for geofencing in my firewall, i would but the integration between tools does not exit. would be nice.
arin in only on RIR, and has allocated 57,609 of the total 162,988 records in the csv i have. having the data from the other RIRs helps with a more holistic view of all allocations. i do have a IPv6 version of the csv, but have not parsed that yet. some questions about how i would store the IPs come to mind, and never got answered.
brendan
On 16.11.23 16:56, Paul Kudla wrote:
the ip that triggered all this says it is allocated from NL (Neatherlands) but physicaly exists in Hawii ?
As someone working for a LIR, let me clarify a couple things:
IPs get assigned to organizations. The registered contacts may well be that organization's main offices on one continent while the hardware actually using those addresses is located someplace different - and the users whose traffic gets its public IP from that hardware could well be in a third.
If we were also an upstream provider operating in several nations, we would not be obliged to use separate IP ranges for (the customers in) different nations, or to register such information with the RIR, much less making it public.
One of our customers uses the services of ZScaler to access the Internet, and thus a service where we maintain a whitelist of client IPs that may connect. Every now and then, "their" IPs will change from, e.g., a range assigned to "ZScaler Düsseldorf", to one designated "ZScaler Zürich", to "ZScaler Frankfurt", etc., while our actual customer doesn't move more than whatever amount the keycaps on his keyboard need to travel.
Having that said, there are people trying to *second guess* the actual location behind an IP address, from Google (ever wondered why, when you open Google Maps, it usually *happens* to show the place you're in?) to https://www.maxmind.com/en/solutions/ip-geolocation-databases-api-services to hobbyists, and there are software frameworks to make services geofenced or location aware (e.g., there are packages "GeoIP" and "plasma-workspace-geolocation" installed on my laptop apparently right off the bat). And yes, there might easily be no info for an IP you look up, or some that's plain wrong.
And *then* there are things like Anycast or BGP hijacking or VPN services to obscure one's origin or ...
Kind regards,
Jochen Bern Systemingenieur
Binect GmbH
thanks for the insite, being an ISP I like this kind of info even if it is off topic a bit on the dovecot mail lists, security today is up there with opertional stuff.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 2023-11-16 5:31 p.m., Jochen Bern wrote:
On 16.11.23 16:56, Paul Kudla wrote:
the ip that triggered all this says it is allocated from NL (Neatherlands) but physicaly exists in Hawii ?
As someone working for a LIR, let me clarify a couple things:
IPs get assigned to organizations. The registered contacts may well be that organization's main offices on one continent while the hardware actually using those addresses is located someplace different - and the users whose traffic gets its public IP from that hardware could well be in a third.
If we were also an upstream provider operating in several nations, we would not be obliged to use separate IP ranges for (the customers in) different nations, or to register such information with the RIR, much less making it public.
One of our customers uses the services of ZScaler to access the Internet, and thus a service where we maintain a whitelist of client IPs that may connect. Every now and then, "their" IPs will change from, e.g., a range assigned to "ZScaler Düsseldorf", to one designated "ZScaler Zürich", to "ZScaler Frankfurt", etc., while our actual customer doesn't move more than whatever amount the keycaps on his keyboard need to travel.
Having that said, there are people trying to *second guess* the actual location behind an IP address, from Google (ever wondered why, when you open Google Maps, it usually *happens* to show the place you're in?) to https://www.maxmind.com/en/solutions/ip-geolocation-databases-api-services to hobbyists, and there are software frameworks to make services geofenced or location aware (e.g., there are packages "GeoIP" and "plasma-workspace-geolocation" installed on my laptop apparently right off the bat). And yes, there might easily be no info for an IP you look up, or some that's plain wrong.
And *then* there are things like Anycast or BGP hijacking or VPN services to obscure one's origin or ...
Kind regards,
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
My original reason for asking was, in addition to setting up a new mail server, there was a topic that came up about port scanning.
My thought was, if the only people that need email services on ports 587 and 993 are employees, there might be a way to close down access to those ports to reasonable ranges that employees might actually use.
If ranges are assigned to organizations, and you knew that you only wanted phone access, couldn't you enter the IP ranges assigned to T- Mobile, AT&T, etc as a firewall rule to allow, else deny?
DENY Fail2Ban IPs ALLOW US Based Consumer ISPs ALLOW Our Office DENY others
That seems like it would reduce the number of people that could try to brute force your IMAP/SMTP logins.
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 2023-11-16 5:31 p.m., Jochen Bern wrote:
On 16.11.23 16:56, Paul Kudla wrote:
the ip that triggered all this says it is allocated from NL (Neatherlands) but physicaly exists in Hawii ?
As someone working for a LIR, let me clarify a couple things:
IPs get assigned to organizations. The registered contacts may well be that organization's main offices on one continent while the hardware actually using those addresses is located someplace different - and the users whose traffic gets its public IP from that hardware could well be in a third.
My original reason for asking was, in addition to setting up a new mail server, there was a topic that came up about port scanning.
My thought was, if the only people that need email services on ports 587 and 993 are employees, there might be a way to close down access to those ports to reasonable ranges that employees might actually use.
If ranges are assigned to organizations, and you knew that you only wanted phone access, couldn't you enter the IP ranges assigned to T-Mobile, AT&T, etc as a firewall rule to allow, else deny?
DENY Fail2Ban IPs ALLOW US Based Consumer ISPs ALLOW Our Office DENY others
That seems like it would reduce the number of people that could try to brute force your IMAP/SMTP logins.
Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca
On 2023-11-16 5:31 p.m., Jochen Bern wrote:
On 16.11.23 16:56, Paul Kudla wrote:
the ip that triggered all this says it is
allocated from NL
(Neatherlands) but physicaly exists in Hawii ?
As someone working for a LIR, let me clarify a couple
things:
IPs get assigned to organizations. The registered contacts
may well be
that organization's main offices on one continent while the
hardware
actually using those addresses is located someplace
different - and the
users whose traffic gets its public IP from that hardware
could well be
in a third.recent versions of denyhosts offer protection for dovecot imap if enabled by scanning logs and adding firewall rules as well as hosts.deny rules. that may help
On 17/11/2023 10:18, Nick Lockheart wrote:
My original reason for asking was, in addition to setting up a new mail server, there was a topic that came up about port scanning.
My thought was, if the only people that need email services on ports 587 and 993 are employees, there might be a way to close down access to those ports to reasonable ranges that employees might actually use.
If ranges are assigned to organizations, and you knew that you only wanted phone access, couldn't you enter the IP ranges assigned to T-Mobile, AT&T, etc as a firewall rule to allow, else deny?
DENY Fail2Ban IPs ALLOW US Based Consumer ISPs ALLOW Our Office DENY others
That seems like it would reduce the number of people that could try to brute force your IMAP/SMTP logins.
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca On 2023-11-16 5:31 p.m., Jochen Bern wrote: On 16.11.23 16:56, Paul Kudla wrote: the ip that triggered all this says it is allocated from NL (Neatherlands) but physicaly exists in Hawii ? As someone working for a LIR, let me clarify a couple things: IPs get assigned to organizations. The registered contacts may well be that organization's main offices on one continent while the hardware actually using those addresses is located someplace different - and the users whose traffic gets its public IP from that hardware could well be in a third.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
On 2023-11-17 02:18, Nick Lockheart wrote:
My original reason for asking was, in addition to setting up a new mail server, there was a topic that came up about port scanning.
My thought was, if the only people that need email services on ports 587 and 993 are employees, there might be a way to close down access to those ports to reasonable ranges that employees might actually use.
However, for most people, not really worth the time to re-invent the wheel, but most people pay attention to spam tools and filters, but don't consider tools for testing authentication sources..
As a commercial provider, don't mind passing on 'tips'.. but it is a multi-tiered approach. One that is often easier dealt with by commercial products, public RBL's etc, designed for authentication restrictions, but the ONLY real way to deal with AUTH attacks, is 2FA of some sort..
But other than that, their are two things you are trying to address. Bot's & Hackers..
Bot traffic, will 'probably' not bother someone with good password policies, unless of course you allow clients to send passwords plain text, or a case of password re-use..
Still, you can address 'overhead' and the less you have in the logs, the easier it is to see real threats. Country AUTH restrictions ARE simply, and there ARE some countries that your clients will never travel to.. but this won't stop hackers that simply use VPN/Proxies/Compromised Servers to access you accounts.
This applies to 465/587 as well as Dovecot AUTH mechanism's.
Rate Limiters of course are ALWAYS important.. However, you have to realize that IP rate limiters CAN cause problems, when trying to deal with CGN's, shared IPs, etc..
And of course, as someone else pointed out, your 'clients' usually use carrier networks to access email, NOT cloud providers.
Hackers LOVE using the cloud, eg Amazon, gCloud, Azure for their attacks, but your clients don't come from there.. so block those IP spaces by default, but allow an override in case there is a real reason to access email from there (desktop in a cloud?, data monitoring scripts, SaaS which monitors your mailbox?)
And what about the other clouds.. Hackers are often getting VPS's strictly for hacking purposes, or to put up open proxies to get around country blocking.. (or hacking servers for that purpose)
Should any of your clients need to log in from an OVH or Digital Ocean or ColoCrossing IP?
But as you can see, this starts to become a lot of work to consider all the risk factors, and we all have too many things to do..
Consider looking at tools that do this for you, unless you want to make a hobby out of looking at AUTH logs..
As well, there are several RBL's out there strictly monitoring hacking sources, including one of own partners .. SpamRats RATS-AUTH and RATS-NULL...
Many of these are free to use, and either update regularly, or are available as realtime RBL's..
Our spam auditors.. it's amazing how often they see the same IPs used in email compromises all over the world.. make sure that you clearly show the IP address in your Received headers as well, will help others help you..
Received: from [10.NNN.NNN.NNN] (unknown [37.NNN.NNN.NNN]) by youserver.com (Postfix) with ESMTPSA
But of course, again .. off topic.. but hackers OFTEN will eavesdrop on your customers IMAP accounts just to steal data, way before they start abusing it for sending spam..
IMAP authentication, and BEC (Business Email Compromise) in general are some of our biggest threats, so all users of dovecot have a role to play in securing access..
but again ... Transparent 2FA first and foremost ;)
Again, hoping more of our patches for Dovecot 2FA ClientID make the light of day, and we are willing to work with anyone to help make that happen for ANY platform..
-- "Catch the Magic of Linux..."
Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
On 17.11.23 11:18, Nick Lockheart wrote:
If ranges are assigned to organizations, and you knew that you only wanted phone access, couldn't you enter the IP ranges assigned to T-Mobile, AT&T, etc as a firewall rule to allow, else deny?
More precisely, you'd need only the IP pools used by their GGSNs/PGWs, but that info is *still* not exactly public and you'd *still* be unlikely to get any support, whether the situation is a change in the pools, an actual malfunction, or a user who - for whatever reason - uses a setup off your clean concepts.
https://en.wikipedia.org/wiki/GPRS_core_network#Gateway_GPRS_support_node_(G...) https://en.wikipedia.org/wiki/System_Architecture_Evolution#PGW_(Packet_Data...)
(... I still remember the times when mobile network operators here used one set of gateways for the then-prevalent traffic to TCP port 80, and another for the rest of Internet traffic. Guess what happened when we naively assumed that our users would appear under the *same* IP with both ...)
Buuuut ... assuming that you're talking about *company* cell phones, or, more precisely, company-IT-administrated smartphones, why not just have a VPN client installed on them? ;-)
Kind regards,
Jochen Bern Systemingenieur
Binect GmbH
And what if someone is on vacation? You can also use dnsbl on your submission, that helps a lot.
Are there publicly available lists of IP ranges by region?
There's no reason for any IP outside of North America to be contacting Postfix on Submission (587) or IMAP, since these are employee only services.
If not for mobile phones, we could really close it off.
On Thu, 2023-11-16 at 08:27 -0500, Paul Kudla wrote:
Good day to all .....
Just adding to the conversation with how I had to deal with this years ago.
Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this.
That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc)
Along with the above dovecot logging is verbose (dovecot already does all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system based on the syslogging in real time.
For Example :
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd
Look at https://academyforinternetresearch.org/ And you will see what they do, why they do it and how to opt any of your Ips out of their scans (ASN 400161 104.156.155.0/24)
-----Original Message----- From: Paul Kudla [mailto:paul@scom.ca] Sent: Thursday, November 16, 2023 8:28 AM To: dovecot@dovecot.org Subject: Re: Anyone Watching Actvity from this network? Attempting Dovecot Buffer Overflows?
Good day to all .....
Just adding to the conversation with how I had to deal with this years ago.
Basically hacks to any server are an issue today but it is cat & mouse trying to track all of this.
That being said using the reported ip address below, I patched postfix to log the ip address in one syslog pass (to id the sasl user account + ip etc)
Along with the above dovecot logging is verbose (dovecot already does all access in one line - ie ip address, username (email address) etc)
combining the two I run my own ip address firewall tracking system based on the syslogging in real time.
For Example :
# ipinfo 104.156.155.21
IP Status for : 104.156.155.21
IP Status : IPv4 NS Lookup (Forward) : 104.156.155.21 NS Lookup (Reverse) : None
IP Blacklisted Status : Found 104.156.155. for 104.156.155.21 [D] {Asterisk} Last Program : sshd
Ip Location Info for : 104.156.155.21
No Ip Information Found
(ie ip location lookup failed / does not exist for this ip ?)
basically the ip address block was found in my firewall so something, someone etc has tried to hack one of my servers
in the case of scom.ca i run an asterisk server and since the asterisk is noted someone tried hacking that one as well.
Basically i run a database that tracks and updates all firewall in real time.
Running FreeBSD I use PF and asterisk is linux based so i use the iptables and update every 10 minutes.
Only time now a days I get involved if a customer calls and complains they are not getting emails etc ...
That happens a few times a year.
Again just an FYI
This reply was more to indicate all email servers (and anything attached to the internet) really need to run some sort of automated ip firewall when username password hacks occur, no reverse ip address etc etc etc
Food for thought.
Have A Happy Thursday !!!
Thanks - Paul Kudla (Manager SCOM.CA Internet Services Inc.)
Scom.ca Internet Services http://www.scom.ca 004-1009 Byron Street South Whitby, Ontario - Canada L1N 4S3
Toronto 416.642.7266 Main 1.866.411.7266 Fax 1.888.892.7266 Email paul@scom.ca
On 11/15/2023 5:53 PM, Simon B wrote:
On Wed, 15 Nov 2023, 23:25 Michael Peddemors, michael@linuxmagic.com
wrote:
There is a network claiming to be a security company, however the activity appears to be a little more malicious, and appears to be attempting buffer overflows against POP-SSL services.. (and other attacks). https://www.abuseipdb.com/check/104.156.155.21 Just thought it would be worth mentioning, you might want to keep an eye out for traffic from this company... Might want to make up your own mind, or maybe someone has more information, but enough of a red flag, that thought it warranted posting on the list. Not sure yet if it is Dovecot, or the SSL libraries they are attempting to break, but using a variety of SSL/TLS methods and connections...They are not interested in dovecot per se. They scan for TLS
vulnerabilities,
mostly.
Anyone with more information? NetRange: 104.156.155.0 - 104.156.155.255 CIDR: 104.156.155.0/24 NetName: ACDRESEARCH NetHandle: NET-104-156-155-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Academy of Internet Research Limited Liability Company (AIRLL) RegDate: 2022-01-07 Updated: 2022-01-07 Ref: https://rdap.arin.net/registry/ip/104.156.155.0 OrgName: Academy of Internet Research Limited Liability Company OrgId: AIRLL Address: #A1- 5436 Address: 1110 Nuuanu Ave City: Honolulu StateProv: HI PostalCode: 96817 Country: US RegDate: 2021-10-15 Updated: 2022-11-06 Ref: https://rdap.arin.net/registry/entity/AIRLL --See also shadowserver.org, census.io, stretchoid, etc. All of them allegedly reputable, all of them supposedly with opt-out mechanisms, and all of them are blocked for not asking permission.
Ymmv.
Regards
Simon
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (11)
-
Brendan Kearney
-
Jochen Bern
-
Marc
-
Michael Peddemors
-
Nick Lockheart
-
Paul Kudla
-
Paul Kudla (SCOM.CA Internet Services Inc.)
-
Richard Siddall
-
Rick Cooper
-
Simon B
-
Tim Dickson